APPSEC IN A CONTAINER WORLD AKASH MAHAJAN - DIRECTOR APPSECCO

WE NOW LIVE IN A CONTAINER WORLD # Container(Camp|Conf|World)

IT/OPS AND DEVS ARE COMING TOGETHER # devops

THERE IS A MAJOR SHIFT IN SECURITY #SHIFTLEFT Shannon Lietz (Keynote at DevSecCon Asia 2017)

APPSEC TESTING HAS TO BECOME PART OF THE DEVOPS OR BE LEFT BEHIND The reality is, Microsoft Security Dev Lifecycle is about 17 Years Old!

CONTAINERS ENABLE SELF-SERVICE AN IMPORTANT ASPECT OF DEVOPS

CONTINUOUS * PIPELINE MODE ON CONTAINERS ENABLE INTEGRATION AND DEPLOYMENT ON TAP

From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4

CONTAINERS, APP SEC & OWASP

RELEVANT APPSEC RISKS FROM THE POINT OF VIEW OF CONTAINERS OWASP Top 10 Issue What is that? A1 Injection Stuff that harms the server A2 Broken AuthN Stuff that lets attackers access parts of the application, which allows them to upload stuff that harms the server A4 Insecure Direct Object Reference A5 Security Misconfiguration Stuff that makes the infra supporting the app insecure A9 Using components with Known Vulnerabilities Stuff that possibly enables any or all of the above, due to using 3rd party stuff

A5 IS A SOLVED PROBLEM, MAYBE!! OWASP A5 - SECURITY MISCONFIGURATION

PATCHED UN-PATCHED

IMMUTABLE INFRASTRUCTURE FTW!!! Akash Mahajan THERE IS NO REASON TO HARDEN EVERY TIME, WE JUST START FROM SCRATCH AND TAKE THE LATEST PATCHED VERSION EVERY SINGLE TIME

A9 CAN BE SOLVED WITH PRIVATE REPOS & REGISTRIES MAYBE OWASP A9 - USING COMPONENTS WITH KNOWN VULNERABILITIES

SO WHAT IS YOUR SECURITY NIGHTMARE, KEEPING YOU AWAKE?

WHAT ABOUT APPLICATION’S SECURITY?

WHAT IS THIS THAT IS GOING TO BURST OUR BUBBLE? 15,000,000 RECORDS FOUND BECAUSE MANAGEMENT HAD WEAK PASSWORD ON APPLICATION 3000 PASSPORTS AND DRIVER’S LICENSES LEAKED BECAUSE THE CONTRACTOR DIDN’T RESET THE CEO’S WEAK PASSWORD ROOT ON RETAIL E-COMMERCE SERVER BECAUSE OUTSOURCED VENDOR ALWAYS USES COMPANY NAME AS CMS ADMIN PASSWORD

TYPICALLY AT THIS POINT PEOPLE TRY TO SOLVE SECURITY BY

MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY MONITORING IS NOT SECURITY

WHILE AUTHN AND AUTHZ GO A LONG WAY IN ENSURING SECURITY OF ACCESS

NO AMOUNT OF AUTOMATION CAN SOLVE BIZ LOGIC ISSUES

IF ALL YOUR PROCESS ALLOWS FOR IS A FINAL SECURITY REVIEW, THEN

From http://stackoverflow.com/questions/28608015/continuous-integration-vs-continuous-delivery-vs-continuous-deployment CHECK FOR SECURITY 1 2 3 4 AUTOMATED AUTOMATED AUTOMATED NOT-AUTOMATED

WHAT CAN THIS NON-AUTOMATED APPROACH LOOK LIKE? IS THERE A CHECKLIST WE CAN FOLLOW?

Issues OWASP Top 10 Input based A1, A3, A4, A8, A10 Logic & Design based A2, A5, A6, A7 Access Control A2, A5, A6, A7 Any other A9 API Testing Can span multiple TAKEAWAY

THAT APPLICATION SECURITY GUY

No content

QUESTIONS @makash | https://linkd.in/webappsecguy | [email protected]